Changeset 32349 for main/trunk

Timestamp:

2018-08-21T18:30:43+12:00 (6 years ago)

Author:

ak19

Message:

Rough draft of working ant targets that automate obtaining (and revoking) a certificate from LetsEncrypt for https. The targets are still messy, but work. I will recommit tidier versions hereafter

Location:

main/trunk/greenstone3

Files:

• build.xml (modified) (3 diffs)
• resources/tomcat/server_tomcat7.xml.svn (modified) (1 diff)

main/trunk/greenstone3/build.xml

@@ -148 +148 @@
     <!-- 
      Bail if https is enabled but the keystore password (keystore.pass property) is not set.
-     However, keystore.pass has no default value and is therefore not set as a rule. So don't bail when 'ant' is run for the first time to create buil.dprops from build.props.svn. But do bail if running ant.prepare and https enabled and password not set.
+     However, keystore.pass has no default value and is therefore not set as a rule. So don't bail when 'ant' is run for the first time to create build.props from build.props.svn. But do bail if running ant.prepare and https enabled and password not set.
      (Maybe put this entire section before the first target: so we only bail after all non-targets are executed so that any other first ever initialisation is completed?)
     -->
@@ -1577 +1577 @@
   <target name="update-web" depends="init,svnupdate-web,configure-web"
     description="update only the web stuff (config files)"/>
+
+  <!-- ============ Targets concerned with https certification ================ -->
+  <target name="remove-cert-https">
+    <echo>
+      NOTE: You need to have sudo permissions to execute this target.
+      Enter the sudo password if prompted.
+    </echo>
+    <!-- sudo /path/to/GS3/bin/linux/certbot-auto revoke ==cert-path /etc/letsencrypt/live/DOMAIN/cert.pem -->
+    <!--  sudo echo &quot;Y\n&quot; | /path/to/GS3/bin/linux/certbot-auto revoke ==cert-path /etc/letsencrypt/live/DOMAIN/cert.pem 
+     See http://ant.1045680.n5.nabble.com/Running-lt-exec-gt-task-with-an-quot-interactive-quot-executable-td1349146.html
+     But shouldn't run certbot-auto by first sudoing. Run certbot-auto directly, it will ask to elevate to sudo permissions
+    -->
+    <exec executable="./certbot-auto" dir="${basedir}/bin/${os.bin.dir}" failonerror="true" inputstring="Y">
+      <arg line="revoke --staging --cert-path /etc/letsencrypt/live/${tomcat.server}/cert.pem"/>
+    </exec>
+
+    <!--<exec executable="./certbot-auto" dir="${basedir}/bin/${os.bin.dir}" failonerror="true">
+      <arg line="delete ==cert-name ${tomcat.server}"/>
+    </exec>-->
+    <!-- and remove the https_cert folder -->
+    <delete dir="${packages.home}/tomcat/conf/https_cert"/>
+  </target>
+
+  <target name="setup-cert-https-info">
+    <echo>
+      *********************************************************************
+               NOTE TO OBTAINING A TLS (SSL) CERTIFICATE FOR HTTPS
+      *********************************************************************
+      A certificate is needed for your GS server to serve pages over https.
+      This target will attempt to obtain a certificate for you from the official and free Certificate Authority Let's Encrypt.
+      However, a certificate can only be obtained if you have sudo permissions on this machine that you're installing Greenstone on.
+
+      Note that:
+      * if you already have a certificate, then you probably don't want to be running this target but the 'ant renew-cert-https' target instead, to renew your existing certificate.
+      * if you run this target when you already have a generated certificate, the existing certificate will remain unchanged and the script will terminate with a message alerting you to this fact.
+    </echo>
+  </target>
+
+  <target name="https-conditions-set">
+    <input addproperty="https.conditions.ok" validargs="y,n">     
+      To run this target, ensure you have:
+      * sudo permissions
+      * nothing running on port 80 when you run this target
+      * edited the build.properties file with
+        - tomcat.server set to the/a domain name of your server
+        - server.protocol set to "https"
+        - tomcat.port.https set to a valid port number
+        - keystore.pass set to a password for the certification process
+    * read the Let's Encrypt Subscriber Agreement at https://letsencrypt.org/repository/
+      If any of the above is not possible, quit this target. Continue [y/n]?
+    </input>
+
+    <condition property="quit.https.setup"> 
+      <equals arg1="n" arg2="${https.conditions.ok}"/>
+    </condition>
+
+    <fail if="quit.https.setup">https certification step aborted by user. Please edit build.properties to set server.protocol=http and comment out tomcat.port.https.</fail>
+  </target>
+
+  <target name="setup-cert-https" depends="setup-cert-https-info,https-conditions-set">
+    <input addproperty="https.cert.email">Enter an email that Let's Encrypt, the certification authority, can send any important notifications to</input>
+    <input addproperty="https.other.domains">Besides tomcat.server=${tomcat.server}, you may enter a comma separated list of additional domains to support if any</input>
+    <input addproperty="https.cert.agree" validargs="y,n">You've read the Let's Encrypt Subscriber Agreement at https://letsencrypt.org/repository/ and agree</input>
+    <if>
+      <bool><equals arg1="y" arg2="${https.cert.agree}"/></bool>
+
+      <condition property="https.cert.domains" value="${tomcat.server},${https.other.domains}" else="${tomcat.server}">
+    <and>
+      <isset property="https.other.domains" />
+      <not><matches string="${https.other.domains}" pattern="^\s*$"/></not>
+    </and>
+      </condition>      
+
+      <input addproperty="https.do.cert" validargs="y,n">
+    You've agreed to the Let's Encrypt TOS with
+    - email: ${https.cert.email}
+    - domains: ${https.cert.domains}
+    Looks okay? [y/n]
+      </input>
+    </if>
+
+    <if><bool><equals arg1="n" arg2="${https.do.cert}"/></bool>
+      <echo>Not proceeding with https certification for the Greenstone 3 web server</echo>
+    <else>
+      <echo>Proceeding...</echo>
+      <echo>### Phase 1: generating the certificate</echo>
+      <!-- ./certbot-auto certonly ==standalone ==preferred-challenges http ==email EMAIL -d DOMAINS 
+      need to accept (A) ToS and say Yes (Y) to sharing email -->
+      <exec executable="/bin/bash" dir="${basedir}/bin/${os.bin.dir}" failonerror="true">
+    <arg value="./certbot-auto"/>
+    <arg value="certonly"/>
+    <arg value="--staging"/>
+    <arg value="--standalone"/>
+    <arg value="--non-interactive"/>
+    <arg value="--agree-tos"/>
+    <arg value="--preferred-challenges"/><arg value="http"/>
+    <arg value="--email"/><arg value="${https.cert.email}"/>
+    <arg value="--domains"/><arg value="${https.cert.domains}"/>
+      </exec>
+
+      <echo>### Phase 2: pem to pkcs12</echo>
+      <!--
+      <echo>
+    ********************
+    You will next be asked to enter the Export Password 3 times. Each time,
+    type the value of your keystore.pass exactly as it is in build.properties.
+    ********************
+      </echo>-->
+
+      <!-- sudo openssl pkcs12 -export -out /tmp/DOMAIN_fullchain_and_key.p12 \
+        -in /etc/letsencrypt/live/DOMAIN/fullchain.pem \
+        -inkey /etc/letsencrypt/live/DOMAIN/privkey.pem \
+        -name tomcat
+        See https://computingforgeeks.com/tomcat-7-with-letsencrypt-ssl-certificate/
+        but also https://community.letsencrypt.org/t/using-lets-encrypt-with-tomcat/41082
+        which bypasses the step to generate the java keystore jks file
+        and uses openssl to generate a pfx file instead of a p12 file
+      -->
+
+      <exec executable="sudo" dir="/tmp" failonerror="true">
+    <arg line="${basedir}/bin/${os.bin.dir}/openssl/bin/openssl pkcs12 -export -out /tmp/${tomcat.server}_fullchain_and_key.p12 -in /etc/letsencrypt/live/${tomcat.server}/fullchain.pem -inkey /etc/letsencrypt/live/${tomcat.server}/privkey.pem -name tomcat -password pass:${keystore.pass}" />
+      </exec>
+
+      <!-- Finally, mkdir ${packages.home}/tomcat/conf/https_cert
+       and copy the file /tmp/${tomcat.server}_fullchain_and_key.p12 into it
+       and rename to a slightly shorter and simpler name. 
+       The file in tmp has root permissions. But copying it from tmp into
+       the local account will give the copy local account permissions.
+       Then sudo to remove the original copy in /tmp
+      -->
+      <mkdir dir="${packages.home}/tomcat/conf/https_cert"/>
+      <!--<copy file="/tmp/${tomcat.server}_fullchain_and_key.p12" todir="${packages.home}/tomcat/conf/https_cert"/>-->
+      <copy todir="${packages.home}/tomcat/conf/https_cert">
+    <fileset file="/tmp/${tomcat.server}_fullchain_and_key.p12"/>
+    <globmapper from="${tomcat.server}_fullchain_and_key.p12" to="fullchain_and_prvtkey.p12"/>
+      </copy>
+
+      <exec executable="sudo" dir="/tmp" failonerror="true">
+    <arg line="rm -f /tmp/${tomcat.server}_fullchain_and_key.p12" />
+      </exec>      
+      
+    </else>
+  </if>
+
+  </target>
 
   <!-- ======================= Tomcat Targets ========================== -->
@@ -1664 +1809 @@
     <filter token="tomcat.port.http" value="${tomcat.port.http}"/>
     <filter token="tomcat.port.https" value="${tomcat.port.https}"/>
-    <filter token="keystore.file" value="${web.writablehome}/https_cert/${tomcat.server}.jks" />
+    <!--<filter token="keystore.file" value="${packages.home}/tomcat/conf/https_cert/${tomcat.server}.jks" />-->
+    <filter token="keystore.file" value="${packages.home}/tomcat/conf/https_cert/fullchain_and_prvtkey.p12" />
+    <!-- tomcat Connector's keystoreType param defaults to JKS (Java keystore), see https://tomcat.apache.org/tomcat-7.0-doc/config/http.html
+    We'll follow the instructions at https://community.letsencrypt.org/t/using-lets-encrypt-with-tomcat/41082,
+    https://www.ssl.com/how-to/create-a-pfx-p12-certificate-file-using-openssl/
+    and https://computingforgeeks.com/tomcat-7-with-letsencrypt-ssl-certificate/ 
+    (minus the keytool step) and use the PKCS12 file generated by openssl directly,
+    instead of an additional step to generate the java keystore file from that -->
+    <filter token="keystore.type" value="PKCS12"/>
     <filter token="keystore.pass" value="${keystore.pass}"/>
     <filter token="http.comment.out.start" value="${http.comment.out.start}"/>

main/trunk/greenstone3/resources/tomcat/server_tomcat7.xml.svn

@@ -101 +101 @@
             keystoreFile="@keystore.file@"
             keystorePass="@keystore.pass@"
-            clientAuth="false" sslProtocol="TLS" />
+            clientAuth="false" sslProtocol="TLS"
+        keystoreType="@keystore.type@" />
     @https.comment.out.end@